Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Should "request" cookies have the secure flag set?

Tags:

security

cookies

django

I have a django app. That app has 2 main cookies that are returned from the server (csrftoken and sessionid). I set the SESSION_COOKIE_SECURE and CSRF_COOKIE_SECURE flags in my settings.py file to True, and if I examine the initial request to login to my app I see that both of those cookies have the "secure" flag set in the response from the server.

When I am examining cookies in my app, I notice there are "request cookies" and "response cookies". The "response cookies" are the ones that have their flags set. The request cookies do not.

My question: Is there some way to force "request cookies" to have their secure flag set? Is this even a security concern? My application traffic is over https, so all connections between the browser and the server will already be encrypted from that...

like image 631
Brian Ambielli Avatar asked Nov 16 '15 21:11

Brian Ambielli

1 Answers

It doesn't really work that way ... The flags are only present in the Set-Cookie header (the response).

When the client (a browser) receives a Set-Cookie header, it will store the flags together with the cookie value, but only for its own usage (so that the browser itself can know when and where to send the cookie value if necessary).

The Cookie header (request) cannot contain flags; it is only a list of <cookie-name>=<cookie-value> pairs and when you (the server) receive them, you're not even guaranteed to have set them yourself.
That's because any application under the same domain name can set cookies for that said domain. For example, an application running on example.com/foo would be able to set a cookie for example.com/bar, or even for another.example.com.

However, excluding the possibility of really horrible browser bugs, you can be sure that if you set the "secure" flag for a cookie in your response, the receiving browser won't send it over a non-encrypted connection.
It's not really 100% guaranteed, but it's really the only option you have and the pretty much the whole web relies on browsers behaving properly, so you're not alone in that.

Sadly, that's just how cookies work. Read the official standard for them here if you're interested in learning more about them.

like image 192
Narf Avatar answered Sep 24 '22 02:09

Narf
Sign in to Comment

Related questions

How to setup a Postgres extension?
Django on Amazon Web Service (AWS)
Django 'str' object is not callable. How to deal with it?
Celery Logging: consistent way to log inside and outside of a task
How can I avoid ProgrammingError: can't adapt type 'DateTimeRangeField' when saving a Django model instance to a remote database?
Django + MySQL on Elastic Beanstalk - Error When Querying MySQL
Storing Default Values for BooleanField() and IntegerField() in Django REST
How can I call a clean method before get_or_create saves to the database?
Django Rest Framework: How do I order/sort a search/filter query?
Import app in django project
Mongoengine query set to list conversion
How to get data from django celery tasks
Django: validating unique_together constraints in a ModelForm with excluded fields
Fetching queryset data one by one
Get Current User in django-filter Method
Django - Real Time Notification System
Upgraded to OSX 10.11 El Capitan, now cannot use MySQL with Python/Django
Django Rest Framework will not display more than one URL at time?
Show preview of image in form
Django - what is best practice - Calculating field values [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!